package April.Twenty_six;

import javax.xml.transform.Result;
import java.sql.*;
import java.util.Scanner;

/*
java程序实现用户登陆，用户名密码，数据库检查
向数据库注入攻击，演示被别人注入攻击
 */
public class JdbcDemo_1 {
    public static void main(String[] args) throws ClassNotFoundException, SQLException {
        //        注册驱动
        Class.forName("com.mysql.jdbc.Driver");
//        2. 获取连接对象
        String url = "jdbc:mysql://127.0.0.1:3306/myBase?useUnicode=true&characterEncoding=UTF-8&serverTimezone=UTC";
        String userName = "root";
        String password = "123";
        Connection conn = DriverManager.getConnection(url, userName, password);
//        3.获取执行sql语句， 语句对象
        Statement stat = conn.createStatement();

//        执行sql语句，数据表，查询用户名和密码，如果存在，登陆成功，不存在登陆失败

//        下面这种方法将密码和账户都写死了 而一般我们登陆都是用户直接输入的
//        String sql = "SELECT * FROM users WHERE username='a' AND PASSWORD='1' OR 1=1";

        Scanner sc = new Scanner(System.in );
        String user = sc.nextLine();
//        输入密码时输入 XXX‘or’1=1  则无论账户密码是否正确 都会显示
        String pass = sc.nextLine();
        String sql = "SELECT * FROM users WHERE username='" + user + "' AND PASSWORD='"+pass+"' ";
        ResultSet rs = stat.executeQuery(sql);
        while(rs.next()){
            System.out.println(rs.getString("username")+" " +
                    " "+rs.getString("password"));
            sc.close();
            rs.close();
            stat.close();
            conn.close();
        }
    }
}
